From a48d057700c636666a5e835cbcb0b667848008c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Fri, 15 Mar 2024 09:13:05 +0100 Subject: nixos: rework configurations management --- nixos/configurations/adm-mpd.nix | 56 +++++++++ nixos/configurations/adm-omnia.nix | 82 +++++++++++++ nixos/configurations/adm-omnia2.nix | 57 +++++++++ nixos/configurations/albert.nix | 41 +++++++ nixos/configurations/binky.nix | 71 +++++++++++ nixos/configurations/dean.nix | 40 ++++++ nixos/configurations/default.nix | 42 +++++++ nixos/configurations/errol.nix | 142 +++++++++++++++++++++ nixos/configurations/gaspode.nix | 17 +++ nixos/configurations/lipwig.nix | 237 ++++++++++++++++++++++++++++++++++++ nixos/configurations/ridcully.nix | 73 +++++++++++ nixos/configurations/spt-mox.nix | 53 ++++++++ nixos/configurations/spt-mox2.nix | 52 ++++++++ nixos/configurations/spt-mpd.nix | 15 +++ nixos/configurations/spt-omnia.nix | 194 +++++++++++++++++++++++++++++ nixos/configurations/spt-omniax.nix | 51 ++++++++ 16 files changed, 1223 insertions(+) create mode 100644 nixos/configurations/adm-mpd.nix create mode 100644 nixos/configurations/adm-omnia.nix create mode 100644 nixos/configurations/adm-omnia2.nix create mode 100644 nixos/configurations/albert.nix create mode 100644 nixos/configurations/binky.nix create mode 100644 nixos/configurations/dean.nix create mode 100644 nixos/configurations/default.nix create mode 100644 nixos/configurations/errol.nix create mode 100644 nixos/configurations/gaspode.nix create mode 100644 nixos/configurations/lipwig.nix create mode 100644 nixos/configurations/ridcully.nix create mode 100644 nixos/configurations/spt-mox.nix create mode 100644 nixos/configurations/spt-mox2.nix create mode 100644 nixos/configurations/spt-mpd.nix create mode 100644 nixos/configurations/spt-omnia.nix create mode 100644 nixos/configurations/spt-omniax.nix (limited to 'nixos/configurations') diff --git a/nixos/configurations/adm-mpd.nix b/nixos/configurations/adm-mpd.nix new file mode 100644 index 0000000..ac3b4de --- /dev/null +++ b/nixos/configurations/adm-mpd.nix @@ -0,0 +1,56 @@ +{ + config, + lib, + ... +}: let + inherit (lib) filterAttrs; +in { + nixpkgs.hostPlatform.system = "aarch64-linux"; + + fileSystems = { + "/" = { + device = "/dev/mmcblk0p2"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mmcblk0p2"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/mmcblk0p1"; + }; + }; + + networking.wireless = { + enable = true; + networks = filterAttrs (n: _: n == "Nela") config.secrets.wifiNetworks; + environmentFile = "/run/secrets/wifi.env"; + userControlled.enable = true; + }; + + #services.pipewire = { + #enable = true; + #alsa.enable = true; + #pulse.enable = true; + #}; + hardware.pulseaudio = { + enable = true; + systemWide = true; + zeroconf.publish.enable = true; + }; + + services.spotifyd = { + enable = true; + settings.global = { + device_name = "Adámkovi"; + device = "sysdefault"; + mixer = "Master"; + bitrate = 320; + cache_path = "/var/cahe/spotify"; + no_audio_cache = true; + volume_normalisation = true; + normalisation_pregain = -10; + initial_volume = 60; + }; + }; +} diff --git a/nixos/configurations/adm-omnia.nix b/nixos/configurations/adm-omnia.nix new file mode 100644 index 0000000..3f857ee --- /dev/null +++ b/nixos/configurations/adm-omnia.nix @@ -0,0 +1,82 @@ +{config, ...}: { + turris.board = "omnia"; + + cynerd = { + router = { + enable = true; + wan = "pppoe-wan"; + lanIP = config.cynerd.hosts.adm.omnia; + }; + wifiAP.adm = { + enable = true; + ar9287.interface = "wlp3s0"; + qca988x.interface = "wlp2s0"; + }; + openvpn.oldpersonal = false; + monitoring.speedtest = true; + }; + + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + #networkConfig = { + # DHCP = "ipv6"; + # IPv6AcceptRA = "yes"; + # DHCPPrefixDelegation = "yes"; + #}; + #dhcpPrefixDelegationConfig = { + # UplinkInterface = ":self"; + # SubnetId = 0; + # Announce = "no"; + #}; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan[1-4]"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + "lan0-guest" = { + matchConfig.Name = "lan0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 2; + PVID = 2; + }; + } + ]; + }; + }; + }; + + services.pppd = { + enable = true; + peers."wan".config = '' + plugin pppoe.so end2 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + +ipv6 + defaultroute + defaultroute6 + usepeerdns + maxfail 1 + user O2 + password 02 + ''; + }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.device"]; +} diff --git a/nixos/configurations/adm-omnia2.nix b/nixos/configurations/adm-omnia2.nix new file mode 100644 index 0000000..19ee446 --- /dev/null +++ b/nixos/configurations/adm-omnia2.nix @@ -0,0 +1,57 @@ +{config, ...}: { + turris.board = "omnia"; + deploy = { + enable = true; + ssh.host = "omnia2.adm"; + }; + + cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.adm.omnia2}/24"; + lanGateway = config.cynerd.hosts.adm.omnia; + }; + wifiAP.adm = { + enable = true; + ar9287 = { + interface = "wlp1s0"; + bssids = ["12:f0:21:23:2b:00" "12:f0:21:23:2b:01" "12:f0:21:23:2b:02"]; + channel = 11; + }; + qca988x = { + interface = "wlp2s0"; + bssids = ["12:f0:21:23:2b:03" "12:f0:21:23:2b:04" "12:f0:21:23:2b:05"]; + channel = 36; + }; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=8G + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* end2"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; +} diff --git a/nixos/configurations/albert.nix b/nixos/configurations/albert.nix new file mode 100644 index 0000000..a6a4ee1 --- /dev/null +++ b/nixos/configurations/albert.nix @@ -0,0 +1,41 @@ +{ + nixpkgs.hostPlatform.system = "x86_64-linux"; + + cynerd = { + desktop = { + enable = true; + laptop = true; + }; + wifiClient = true; + openvpn = { + oldpersonal = true; + }; + }; + + boot.initrd.availableKernelModules = ["xhci_pci" "usb_storage" "sd_mod"]; + + hardware.cpu.intel.updateMicrocode = true; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/disk/by-uuid/1c9bafac-fcf8-41c4-b394-bca5917ca82d"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/E403-124B"; + fsType = "vfat"; + }; + + "/home2" = { + device = "/dev/disk/by-uuid/55e177a1-215e-475b-ba9c-771b5fa3f8f0"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + }; +} diff --git a/nixos/configurations/binky.nix b/nixos/configurations/binky.nix new file mode 100644 index 0000000..c51f95b --- /dev/null +++ b/nixos/configurations/binky.nix @@ -0,0 +1,71 @@ +{lib, ...}: let + inherit (lib) mkDefault; +in { + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy = { + enable = true; + default = false; + }; + + cynerd = { + desktop = { + enable = true; + laptop = true; + }; + wifiClient = true; + develop = true; + openvpn = { + oldpersonal = true; + elektroline = true; + }; + }; + + boot = { + initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage" "sd_mod"]; + kernelModules = ["kvm-amd"]; + }; + + hardware.cpu.amd.updateMicrocode = true; + + boot.initrd.luks.devices = { + "encroot".device = "/dev/disk/by-uuid/b317feb5-d68d-4ec3-a24f-0307c116cac8"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@"]; + }; + "/nix" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/8F7D-A154"; + fsType = "vfat"; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + services.syncthing = { + enable = true; + user = mkDefault "cynerd"; + group = mkDefault "cynerd"; + openDefaultPorts = true; + + overrideDevices = false; + overrideFolders = false; + + dataDir = "/home/cynerd"; + configDir = "/home/cynerd/.config/syncthing"; + }; +} diff --git a/nixos/configurations/dean.nix b/nixos/configurations/dean.nix new file mode 100644 index 0000000..b91083c --- /dev/null +++ b/nixos/configurations/dean.nix @@ -0,0 +1,40 @@ +{pkgs, ...}: { + nixpkgs.hostPlatform.system = "aarch64-linux"; + + cynerd = { + openvpn = { + oldpersonal = true; + }; + monitoring.speedtest = true; + }; + + networking = { + bridges = { + brlan = { + interfaces = [ + "eth0" + "lan1" + "lan2" + "lan3" + "lan4" + ]; + }; + }; + dhcpcd.allowInterfaces = ["brlan"]; + }; + + swapDevices = [ + { + device = "/var/swap"; + priority = 1; + } + ]; + + environment.systemPackages = with pkgs; [ + #openocd + tio + ]; + + # TODO: ubootTools build is broken! + firmware.environment.enable = false; +} diff --git a/nixos/configurations/default.nix b/nixos/configurations/default.nix new file mode 100644 index 0000000..497c0fb --- /dev/null +++ b/nixos/configurations/default.nix @@ -0,0 +1,42 @@ +self: let + inherit (builtins) readDir; + inherit (self.inputs) nixpkgs nixturris; + inherit + (nixpkgs.lib) + filterAttrs + composeManyExtensions + hasSuffix + nameValuePair + nixosSystem + removeSuffix + mapAttrs + mapAttrs' + ; +in + mapAttrs' ( + fname: _: let + name = removeSuffix ".nix" fname; + in + nameValuePair name (nixosSystem { + modules = [ + (./. + ("/" + fname)) + {networking.hostName = name;} + self.nixosModules.default + ]; + specialArgs = { + inputModules = + mapAttrs (v: v.nixosModules) self.inputs + // { + vpsadminos = self.inputs.vpsadminos.nixosConfigurations.container; + }; + lib = nixpkgs.lib.extend (composeManyExtensions [ + nixturris.overlays.lib + self.overlays.lib + ]); + }; + }) + ) + (filterAttrs ( + n: v: + v == "regular" && n != "default.nix" && hasSuffix ".nix" n + ) (readDir ./.)) diff --git a/nixos/configurations/errol.nix b/nixos/configurations/errol.nix new file mode 100644 index 0000000..a9475ef --- /dev/null +++ b/nixos/configurations/errol.nix @@ -0,0 +1,142 @@ +{ + config, + lib, + pkgs, + ... +}: let + inherit (lib) mkDefault; +in { + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy.enable = true; + + cynerd = { + desktop.enable = true; + develop = true; + gaming = true; + openvpn = { + elektroline = true; + }; + }; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.kernelModules = ["kvm-amd"]; + + hardware.cpu.amd.updateMicrocode = true; + services.hardware.openrgb.motherboard = "amd"; + + cynerd.autounlock = { + "encroot" = "/dev/disk/by-uuid/7c412ae6-6016-45af-8c2a-8fcc394dbbe6"; + "enchdd1" = "/dev/disk/by-uuid/87f16080-5ff6-43dd-89f3-307455a46fbe"; + "enchdd2" = "/dev/disk/by-uuid/be4a33fa-8bc6-431d-a3ac-787668f223ed"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/49D9-3A0D"; + fsType = "vfat"; + }; + + "/home2" = { + device = "/dev/mapper/enchdd1"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/home2"]; + }; + #services.beesd.filesystems = { + # root = { + # spec = "/"; + # hashTableSizeMB = 4096; # 4KB blocks for 1TB drive + # extraOptions = ["--workaround-btrfs-send"]; + # }; + # hdd = { + # spec = "/home2"; + # hashTableSizeMB = 8192; # 4KB blocks for 2TB drive + # extraOptions = ["--workaround-btrfs-send"]; + # }; + #}; + + services.syncthing = { + enable = true; + user = mkDefault "cynerd"; + group = mkDefault "cynerd"; + openDefaultPorts = true; + + overrideDevices = false; + overrideFolders = false; + + dataDir = "/home/cynerd"; + configDir = "/home/cynerd/.config/syncthing"; + }; + + nixpkgs.config.permittedInsecurePackages = ["openssl-1.1.1w"]; # TODO + services.home-assistant = { + enable = true; + openFirewall = true; + configDir = "/var/lib/hass"; + config = { + homeassistant = { + name = "SPT"; + latitude = "!secret latitude"; + longitude = "!secret longitude"; + elevation = "!secret elevation"; + time_zone = "Europe/Prague"; + country = "CZ"; + }; + http.server_port = 8808; + mqtt = { + sensor = import ../modules/home-assistant/sensors.nix; + light = import ../modules/home-assistant/light.nix; + }; + default_config = {}; + automation = "!include automations.yaml"; + }; + extraComponents = ["met"]; + package = pkgs.home-assistant.override { + extraPackages = pkgs: + with pkgs; [ + securetar + pyipp + ]; + }; + }; + + services.zigbee2mqtt = { + enable = true; + settings = { + serial.port = "/dev/serial/by-id/usb-ITEAD_SONOFF_Zigbee_3.0_USB_Dongle_Plus_V2_20220812153849-if00"; + mqtt = { + server = "mqtt://${config.cynerd.hosts.spt.mox}:1883"; + user = "zigbee2mqtt"; + password = "!secret.yaml mqtt_password"; + }; + advanced = { + network_key = "!secret.yaml network_key"; + homeassistant_legacy_entity_attributes = false; + legacy_api = false; + legacy_availability_payload = false; + last_seen = "epoch"; + }; + frontend = true; + availability = true; + homeassistant = { + legacy_triggers = false; + }; + device_options.legacy = false; + permit_join = false; + devices = config.secrets.zigbee2mqttDevices; + }; + }; +} diff --git a/nixos/configurations/gaspode.nix b/nixos/configurations/gaspode.nix new file mode 100644 index 0000000..78d8277 --- /dev/null +++ b/nixos/configurations/gaspode.nix @@ -0,0 +1,17 @@ +{ + nixpkgs.hostPlatform.system = "armv7l-linux"; + + fileSystems = { + "/" = { + device = "/dev/mmcblk0p2"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mmcblk0p2"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/mmcblk0p1"; + }; + }; +} diff --git a/nixos/configurations/lipwig.nix b/nixos/configurations/lipwig.nix new file mode 100644 index 0000000..c484541 --- /dev/null +++ b/nixos/configurations/lipwig.nix @@ -0,0 +1,237 @@ +{ + config, + pkgs, + inputModules, + ... +}: { + imports = [inputModules.vpsadminos]; + + config = { + nixpkgs.hostPlatform.system = "x86_64-linux"; + + deploy = { + enable = true; + ssh.host = "cynerd.cz"; + }; + + cynerd = { + syncthing = { + enable = false; + baseDir = "/nas"; + }; + openvpn.oldpersonal = true; + }; + + boot.loader.systemd-boot.enable = false; + + fileSystems."/nas" = { + device = "172.16.128.63:/nas/2682"; + fsType = "nfs"; + }; + + networking.firewall = { + allowedTCPPorts = [80 443]; + allowedUDPPorts = [1194]; + }; + + # Web ###################################################################### + services.nginx = { + enable = true; + virtualHosts = { + "cynerd.cz" = { + forceSSL = true; + enableACME = true; + locations = { + "/".root = ../../web; + "/radicale/" = { + proxyPass = "http://127.0.0.1:5232/"; + extraConfig = '' + proxy_set_header X-Script-Name /radicale; + proxy_pass_header Authorization; + ''; + }; + }; + }; + "git.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + root = "${pkgs.cgit}/cgit"; + locations."/".tryFiles = "$uri @cgit"; + locations."@cgit".extraConfig = '' + fastcgi_param SCRIPT_FILENAME ${pkgs.cgit}/cgit/cgit.cgi; + fastcgi_pass unix:${config.services.fcgiwrap.socketAddress}; + fastcgi_param PATH_INFO $uri; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + ''; + }; + "cloud.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + }; + "grafana.cynerd.cz" = { + forceSSL = true; + useACMEHost = "cynerd.cz"; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}/"; + extraConfig = "proxy_set_header Host $host;"; + proxyWebsockets = true; + }; + }; + }; + }; + services.fcgiwrap = { + enable = true; + inherit (config.services.nginx) group; + }; + security.acme = { + acceptTerms = true; + defaults.email = "cynerd+acme@email.cz"; + certs."cynerd.cz".extraDomainNames = [ + "git.cynerd.cz" + "cloud.cynerd.cz" + "grafana.cynerd.cz" + ]; + }; + + # Git ###################################################################### + services.gitolite = { + enable = true; + user = "git"; + group = "git"; + dataDir = "/var/lib/git"; + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIaMmBV0wPvG5JQIWxi20IDlLokhRBumTEbUUD9TNWoY Bootstrap gitolite key"; + }; + services.gitDaemon = { + enable = false; + user = "gitdemon"; + group = "gitdaemon"; + basePath = "/var/lib/git/repositories"; + }; + environment.etc."cgitrc".text = '' + root-title=Cynerd's git repository + root-desc=All my projects (at least those released to public) + #logo=cynerd.cz/wolf.svg + virtual-root=/ + + # Allow download of tar.gz, tar.bz2 and zip-files + snapshots=tar.gz tar.bz2 zip + ## List of common mimetypes + mimetype.gif=image/gif + mimetype.html=text/html + mimetype.jpg=image/jpeg + mimetype.jpeg=image/jpeg + mimetype.pdf=application/pdf + mimetype.png=image/png + mimetype.svg=image/svg+xml + + source-filter=${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py + about-filter=${pkgs.cgit}/lib/cgit/filters/about-formatting.sh + + readme=:README.md + readme=:README.adoc + + enable-index-owner=0 + enable-index-links=1 + enable-http-clone=1 + clone-url=https://git.cynerd.cz/$CGIT_REPO_URL git://cynerd.cz/$CGIT_REPO_URL.git git@cynerd.cz:$CGIT_REPO_URL + enable-commit-graph=1 + branch-sort=age + + remove-suffix=1 + enable-git-config=1 + project-list=/var/lib/git/projects.list + scan-path=/var/lib/git/repositories/ + ''; + + # Nextcloud ################################################################ + services.nextcloud = { + enable = true; + package = pkgs.nextcloud28; + https = true; + hostName = "cloud.cynerd.cz"; + datadir = "/nas/nextcloud"; + config = { + adminuser = "cynerd"; + adminpassFile = "/run/secrets/nextcloud.admin.pass"; + dbtype = "pgsql"; + dbhost = "/run/postgresql"; + dbtableprefix = "oc_"; + }; + settings = { + #log_type = "systemd"; + default_phone_region = "CZ"; + }; + phpExtraExtensions = php: [php.pgsql php.pdo_pgsql]; + phpOptions = { + "opcache.interned_strings_buffer" = "16"; + }; + maxUploadSize = "1G"; + appstoreEnable = false; + extraApps = { + inherit + (config.services.nextcloud.package.packages.apps) + bookmarks + calendar + contacts + cookbook + deck + forms + groupfolders + impersonate + maps + memories + notes + phonetrack + previewgenerator + spreed + tasks + twofactor_nextcloud_notification + twofactor_webauthn + ; + # Additional modules can be fetched with: + # NEXTCLOUD_VERSIONS=28 nix run nixpkgs#nc4nix -- -apps "passwords,integration_homeassistant,integration_github,integration_gitlab" + passwords = pkgs.fetchNextcloudApp { + url = "https://git.mdns.eu/api/v4/projects/45/packages/generic/passwords/2024.2.0/passwords.tar.gz"; + sha256 = "0s5z6pxkcwmhlbzy9s2g0s05n1iqjmxr2jqxz7ayklin9kcgr3h7"; + license = "agpl3"; + }; + integration_github = pkgs.fetchNextcloudApp { + url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz"; + sha256 = "0rjdlsalayb21nmh3j5bl42dcbavxka2r5g9csagz7vc9dl0qrw6"; + license = "agpl3"; + }; + integration_gitlab = pkgs.fetchNextcloudApp { + url = "https://github.com/nextcloud-releases/integration_gitlab/releases/download/v1.0.18/integration_gitlab-v1.0.18.tar.gz"; + sha256 = "13vlbr7sigqrh480a9zp7zl9nbzb4pk8m1zzlqv9lkzj3zywp7mi"; + license = "agpl3"; + }; + }; + }; + environment.systemPackages = with pkgs; [exiftool ffmpeg-headless nodejs]; + + # Postgresql ############################################################### + services.postgresql = { + enable = true; + ensureUsers = [ + { + name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + ensureDatabases = ["nextcloud"]; + }; + + # Old Syncthing ############################################################ + services.syncthing = { + enable = true; + openDefaultPorts = true; + + overrideDevices = false; + overrideFolders = false; + + dataDir = "/nas/sync"; + configDir = "/nas/sync/.syncthing"; + }; + }; +} diff --git a/nixos/configurations/ridcully.nix b/nixos/configurations/ridcully.nix new file mode 100644 index 0000000..3e2b474 --- /dev/null +++ b/nixos/configurations/ridcully.nix @@ -0,0 +1,73 @@ +{lib, ...}: let + inherit (lib) mkDefault; +in { + nixpkgs.hostPlatform.system = "x86_64-linux"; + deploy.enable = true; + + cynerd = { + desktop.enable = true; + develop = true; + gaming = true; + openvpn = { + elektroline = true; + }; + }; + + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "usb_storage"]; + boot.kernelModules = ["kvm-amd"]; + + hardware.cpu.amd.updateMicrocode = true; + services.hardware.openrgb.motherboard = "amd"; + + cynerd.autounlock = { + "encroot" = "/dev/disk/by-uuid/bc7d2ba4-6e04-4c49-b40c-3aecd1a86c71"; + "enchdd" = "/dev/disk/by-uuid/7fee3cda-efa0-47cd-8832-fdead9a7e6db"; + }; + fileSystems = { + "/" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@nix"]; + }; + "/home" = { + device = "/dev/mapper/encroot"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + "/boot" = { + device = "/dev/disk/by-uuid/6DAD-3819"; + fsType = "vfat"; + }; + + "/home2" = { + device = "/dev/mapper/enchdd"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@home"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/home2"]; + }; + + #networking.vlans."enp6s0.adm" = { + #id = 2; + #interface = "enp6s0"; + #}; + + services.syncthing = { + enable = true; + user = mkDefault "cynerd"; + group = mkDefault "cynerd"; + openDefaultPorts = true; + + overrideDevices = false; + overrideFolders = false; + + dataDir = "/home/cynerd"; + configDir = "/home/cynerd/.config/syncthing"; + }; + + # Force nix to use less jobs + nix.settings.max-jobs = 8; +} diff --git a/nixos/configurations/spt-mox.nix b/nixos/configurations/spt-mox.nix new file mode 100644 index 0000000..7b1ffb8 --- /dev/null +++ b/nixos/configurations/spt-mox.nix @@ -0,0 +1,53 @@ +{config, ...}: { + turris.board = "mox"; + deploy = { + enable = true; + ssh.host = "mox.spt"; + }; + + cynerd = { + home-assistant = true; + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; + wifiAP.spt = { + enable = true; + qca988x = { + interface = "wls1"; + bssids = ["04:f0:21:24:24:d2" "08:f0:21:24:24:d2"]; + channel = 7; + }; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=512M + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "lan* end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; +} diff --git a/nixos/configurations/spt-mox2.nix b/nixos/configurations/spt-mox2.nix new file mode 100644 index 0000000..612e85e --- /dev/null +++ b/nixos/configurations/spt-mox2.nix @@ -0,0 +1,52 @@ +{config, ...}: { + turris.board = "mox"; + deploy = { + enable = true; + ssh.host = "mox2.spt"; + }; + + cynerd = { + switch = { + enable = true; + lanAddress = "${config.cynerd.hosts.spt.mox2}/24"; + lanGateway = config.cynerd.hosts.spt.omnia; + }; + wifiAP.spt = { + enable = true; + qca988x = { + interface = "wls1"; + bssids = ["04:f0:21:45:d3:47" "08:f0:21:45:d3:47"]; + channel = 1; + }; + }; + }; + + services.journald.extraConfig = '' + SystemMaxUse=512M + ''; + + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/"]; + }; + + networking = { + useNetworkd = true; + useDHCP = false; + }; + systemd.network.networks = { + "lan-brlan" = { + matchConfig.Name = "end0"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; +} diff --git a/nixos/configurations/spt-mpd.nix b/nixos/configurations/spt-mpd.nix new file mode 100644 index 0000000..b212932 --- /dev/null +++ b/nixos/configurations/spt-mpd.nix @@ -0,0 +1,15 @@ +{inputModules, ...}: { + imports = [inputModules.nixos-hardware.raspberry-pi-2]; + + config = { + nixpkgs.hostPlatform.system = "armv7l-linux"; + + fileSystems = { + "/" = { + device = "/dev/mmcblk0p1"; + fsType = "btrfs"; + options = ["compress=lzo"]; + }; + }; + }; +} diff --git a/nixos/configurations/spt-omnia.nix b/nixos/configurations/spt-omnia.nix new file mode 100644 index 0000000..ca4d211 --- /dev/null +++ b/nixos/configurations/spt-omnia.nix @@ -0,0 +1,194 @@ +{ + config, + pkgs, + ... +}: let + hosts = config.cynerd.hosts.spt; +in { + turris.board = "omnia"; + deploy = { + enable = true; + ssh.host = "omnia.spt"; + }; + + cynerd = { + router = { + enable = true; + wan = "pppoe-wan"; + lanIP = hosts.omnia; + staticLeases = { + "a8:a1:59:10:32:c4" = hosts.errol; + "7c:b0:c2:bb:9c:ca" = hosts.albert; + "4c:d5:77:0d:85:d9" = hosts.binky; + "b8:27:eb:57:a2:31" = hosts.mpd; + "74:bf:c0:42:82:19" = hosts.printer; + }; + }; + wifiAP.spt = { + enable = true; + ar9287 = { + interface = "wlp1s0"; + bssids = ["04:f0:21:24:21:93" "08:f0:21:24:21:93"]; + channel = 11; + }; + qca988x = { + interface = "wlp3s0"; + bssids = ["04:f0:21:23:16:64" "08:f0:21:23:16:64"]; + channel = 36; + }; + }; + openvpn.oldpersonal = true; + monitoring.speedtest = true; + }; + + services.journald.extraConfig = '' + SystemMaxUse=512M + ''; + + environment = { + etc.crypttab.text = '' + nas UUID=3472bef9-cbae-48bd-873e-fd4858a0b72f /run/secrets/luks-spt-omnia-nas.key luks + nassec UUID=016e9e75-bbc8-4b24-8bb7-c800c8f6a500 /run/secrets/luks-spt-omnia-nas.key luks + ''; + systemPackages = with pkgs; [ + cryptsetup + ]; + }; + fileSystems = { + "/data" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@data" "nofail"]; + }; + "/srv" = { + device = "/dev/mapper/nas"; + fsType = "btrfs"; + options = ["compress=lzo" "subvol=@srv" "nofail"]; + depends = ["/data"]; + }; + }; + services.btrfs.autoScrub = { + enable = true; + fileSystems = ["/" "/data"]; + }; + services.udev.packages = [ + (pkgs.writeTextFile rec { + name = "queue_depth_sata.rules"; + destination = "/etc/udev/rules.d/50-${name}"; + text = '' + SUBSYSTEMS=="pci", DRIVER=="ahci", ATTR{device}!="0x0612", GOTO="turris_pci_end" + ACTION=="add|change", SUBSYSTEM=="scsi", ATTR{vendor}=="ATA", ATTR{queue_depth}="1" + LABEL="turris_pci_end" + ''; + }) + ]; + + users = { + groups.nas = {}; + users = { + nas = { + group = "nas"; + openssh.authorizedKeys.keyFiles = [(config.personal-secrets + "/unencrypted/nas.pub")]; + isNormalUser = true; + home = "/data/nas"; + homeMode = "770"; + }; + cynerd.extraGroups = ["nas"]; + }; + }; + services.openssh = { + settings.Macs = ["hmac-sha2-256"]; # Allow sha2-256 for Nexcloud access + extraConfig = '' + Match User nas + X11Forwarding no + AllowTcpForwarding no + AllowAgentForwarding no + ForceCommand internal-sftp -d /data/nas + ''; + }; + services.fail2ban.enable = true; + + networking.useDHCP = false; + systemd.network = { + netdevs = { + "end2.848" = { + netdevConfig = { + Kind = "vlan"; + Name = "end2.848"; + }; + vlanConfig.Id = 848; + }; + }; + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig.VLAN = ["end2.848"]; + }; + "end2.848" = { + matchConfig.Name = "end2.848"; + networkConfig.BindCarrier = "end2"; + }; + "pppoe-wan" = { + matchConfig.Name = "pppoe-wan"; + networkConfig = { + BindCarrier = "end2.848"; + DHCP = "ipv6"; + IPv6AcceptRA = "no"; + DHCPPrefixDelegation = "yes"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; + }; + + services.pppd = { + enable = true; + peers."wan".config = '' + plugin pppoe.so end2.848 + ifname pppoe-wan + lcp-echo-interval 1 + lcp-echo-failure 5 + lcp-echo-adaptive + defaultroute + defaultroute6 + usepeerdns + maxfail 1 + user metronet + password metronet + ''; + }; + systemd.services."pppd-wan".after = ["sys-subsystem-net-devices-end2.848.device"]; + # TODO limit NSS clamping to just pppoe-wan + networking.firewall.extraForwardRules = '' + tcp flags syn tcp option maxseg size set rt mtu comment "Needed for PPPoE to fix IPv4" + iifname {"home", "personalvpn"} oifname {"home", "personalvpn"} accept + ''; + + services.syncthing = { + enable = false; + openDefaultPorts = true; + + overrideDevices = false; + overrideFolders = false; + + dataDir = "/data"; # TODO this can't be the location + }; +} diff --git a/nixos/configurations/spt-omniax.nix b/nixos/configurations/spt-omniax.nix new file mode 100644 index 0000000..4f9e0e0 --- /dev/null +++ b/nixos/configurations/spt-omniax.nix @@ -0,0 +1,51 @@ +{ + turris.board = "omnia"; + + cynerd = { + router = { + enable = true; + wan = "end2"; + lanIP = "192.168.2.1"; + }; + wifiAP.spt = { + enable = true; + ar9287.interface = "wlp3s0"; + qca988x.interface = "wlp2s0"; + }; + monitoring.speedtest = true; + }; + + networking.useDHCP = false; + systemd.network = { + networks = { + "end2" = { + matchConfig.Name = "end2"; + networkConfig = { + BindCarrier = "end2"; + DHCP = "yes"; + IPv6AcceptRA = "yes"; + DHCPPrefixDelegation = "yes"; + }; + dhcpPrefixDelegationConfig = { + UplinkInterface = ":self"; + SubnetId = 0; + Announce = "no"; + }; + linkConfig.RequiredForOnline = "routable"; + }; + "lan-brlan" = { + matchConfig.Name = "lan*"; + networkConfig.Bridge = "brlan"; + bridgeVLANs = [ + { + bridgeVLANConfig = { + EgressUntagged = 1; + PVID = 1; + }; + } + {bridgeVLANConfig.VLAN = 2;} + ]; + }; + }; + }; +} -- cgit v1.2.3